CyberWatch

Why We Need NIST's Post-Quantum Cryptography Standards

By

Shubham Agarwal, Contributing Writer

By

Access Point Consulting

In 2015, the National Security Agency sounded an unexpected warning: It recommended U.S. agencies and businesses prepare for Q-Day—the day that encryption as we know it today becomes obsolete. On Q-Day, practically all existing cyber defenses guarding digital records such as emails, financial data, and even national security information would be rendered obsolete by quantum computers.

“IAD [Information Assurance Directorate] will initiate a transition to quantum-resistant algorithms in the not too distant future,” read the NSA statement. That was about a decade ago, and if some estimates are to be believed, Q-Day may be right around the corner.  

In one recent Forrester study, most industry experts hypothesized there’s a 50-70% chance of quantum computing cracking all current cryptosystems within the next couple of years. At the same time, the ‘spooky’ physics of subatomic particles that quantum computer-enabled internet exploits, could theoretically pave the way for unhackable encryption and communications.

The frantic scramble across organizations, from governments to tech giants like Google and Cisco, to preempt the threats and benefits of quantum computing is reminiscent of Y2K—a computer bug the world spent hundreds of billions of dollars to overcome. Could quantum computers be the once-in-a-generation game-changer for cybersecurity? Or would it end up no more than an incremental technological shift like Y2K, where the fear never materialized?

Cybersecurity’s Quantum Era

Much of the internet today leverages a form of protection called public-key cryptography. It utilizes math to compute a set of keys: one that’s publicly available and another that’s private. Anyone who can perform these calculations can gain access to a given system but that’s easier said than done. Even the world’s most powerful supercomputer would take years and endless resources to produce one private key, let alone compromise the security of a broad group of users.

However, the problem flips on its head in the case of a quantum computer, which processes information in a fraction of the time it would take its traditional counterpart. In the early 1990s, mathematician Peter Shor demonstrated, on paper, a quantum computer’s ability to decipher the public key encryption (PKE) algorithm, sparking a worldwide effort to build quantum-safe cryptography systems.

“Quantum computers will continue to advance rapidly,” says Michele Mosca, a quantum computing professor at the University of Waterloo in Ontario, Canada, “and it's absolutely imperative to be ready to mitigate the intrinsic cyber risks.”

Last month, the National Institute of Standards and Technology (NIST), a U.S.-based certification body, published its first set of ready-to-use post-quantum cryptography (PQC) standards. The result of an eight-year development effort, these standards establish the benchmark for withstanding cyberattacks from quantum computers and signal to enterprises, government agencies, and vendors that it’s time to begin transitioning.

The new standards make it more complex and resource-intensive to crack the cryptographic math. One method used, called Lattice-based cryptography (LBC), for example, swaps out the current prime number-based keys for a multi-dimensional infinite grid with points at the intersections of lines. To decipher the key, a machine would have to identify a specific point on it.

“The first imperative for enterprises is to migrate their public key cryptography to post-quantum public key algorithms,” adds Dr. Mosca, “and this will require a significant uplift in how cryptography is managed, and collaboration with vendors, regulators, and various third parties.”

The Present Need to Prepare for Future Quantum Threats

While quantum computers are still not widely available at scale and aren’t expected to be for a couple more years, the transition to quantum-safe algorithms is already key to safeguard against “harvest now, decrypt later” attacks. In such a scenario, threat actors may accumulate encrypted information now assuming they’d be able to decrypt it once quantum technology is available.

“We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future,” said Alejandro Mayorkas, Secretary of Homeland Security.

However, quantum computing won’t just leave organizations vulnerable to new, novel kinds of attacks—it will also equip them with a hack-proof way to secure global communication and distributed information.

A Paradigm Shift in Information Security

You see, the bits that power quantum computing—named qubits—can be entangled. This enables pieces of information that are separated, even by significant distances, to correlate and interact with each other instantaneously such that the measurement of state for a single particle lets one predict the state for others. Combine this with the fact that measuring such a quantum state disturbs the system itself and you have Quantum Key Distribution (QKD), in which data owners can automatically choose to hide the data once an anomaly is detected such as when a third party attempts to eavesdrop.

“The quantum internet in the form of Quantum Key Distribution has the advantage of being information-theoretically-secure,” says Michael Kues, the head of the Institute of Photonics at the Leibniz University Hannover, Germany, and is a step forward to “quantum-safe” algorithms “that only circumvent certain current threads of specific quantum computer algorithms.”

Ushering a QKD-powered infrastructure into reality, however, is an uphill climb. The bottleneck is the physics behind quantum computing itself. Keeping qubits stable over long distances is a challenge because they are notoriously fragile sub-atomic particles, and therefore, their states are easily disrupted. With the help of hybrid technologies and repeaters, though, significant progress has been made in the last couple of years. China, for example, now has a 1,263-mile quantum link between Beijing and Shanghai. Last month, research from Dr. Kues also proved how it could be possible to integrate and transmit quantum internet qubits via conventional internet channels.

Cybersecurity historically has favored attackers, but as long as physical security measures are frequently updated, “quantum internet will enable new kinds of cryptography that do fundamentally favor the defense side of things,” Dr. Mosca told Access Point Consulting.

“This rarely happens in cyber security, so we're excited to usher in these new tools,” added Dr. Mosca. But to truly leverage the quantum computing era, organizations will need to provide sufficient cryptographic diversity and defense-in-depth to ensure that a future cryptographic algorithm break won't be catastrophic.

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more